Saturday, May 26, 2012

PowerSploit - A PowerShell Post-Exploitation Framework

After recently reviewing my code for Powersyringe, I realized it was total crap. Although it worked and got the job done in most cases, it was ugly. Also, upon discovering how to achieve true memory-residence when working with Win32 functions, I decided it was time to dismember Powersyringe. Behold... PowerSploit. PowerSploit retains much of the same functionality of Powersyringe but I decided to split each payload into a separate script according to functionality. Currently, PowerSploit is comprised of the following scripts:

Invoke-DllInjection

Invoke-Shellcode

Encrypt-Script

Also, I've finally given my code a good home on Github. Moving forward, any new functionality and scripts will be hosted under the PowerSploit repo.

Here's a highlight of the changes I made to the original Powersyringe:

All the features of PowerSyringe have now been split up into separate scripts which now fall under the PowerSploit project.

Completely rewrote the PowerSyringe code from scratch.

All scripts are now in conformance with proper PowerShell verb-noun agreement.

All the scripts are entirely memory-resident now. This feature is possible through reflection. For more information on the implementation details, read my blog post.

Improved error handing. Error handlers should pick up on every fault now.

Added calls to VirtualFree for proper cleanup.

Detailed output is now displayed when the -Verbose option is enabled.

CreateThread assembly stub is now implemented in a function and is much more readable.

As always, let me know if you have any legitimate issues with any of the scripts.

As a security professional, I'd say that my biggest request would be to make the PowerShell execution policy an actual security feature. If an administrator only wants to allow signed scripts, then you should only be able to execute signed scripts. Also, while I absolutely love the feature set that PowerShell brings, one who wishes to do harm to a compromised machine has way too much power to do more harm. Lastly, PowerShell really enables an attacker to easily bypass typical host-based security solutions. I have yet to see a single security product flag a malicious PowerShell script based upon it's signature or behavioral heuristics.

From an attacker's perspective, I'm really looking forward to integration with the Roslyn compiler. It will make executing malicious scripts in memory that much easier. I have to admit, reflection is painful. ;D